Connect with us

Hi, what are you looking for?


Malware & Threats

Many Web Attacks Come From United States: Sucuri

Blocking traffic from certain countries or regions might not be a very efficient way of defending against web attacks, according to an analysis conducted by web security firm Sucuri.

Blocking traffic from certain countries or regions might not be a very efficient way of defending against web attacks, according to an analysis conducted by web security firm Sucuri.

Sucuri has analyzed metadata from 30 days of traffic and more than 480 million requests blocked by its firewall product in order to collect information on the sources of web attacks and exploits. The study has focused on the browser, operating system and the country they come from.

Experts monitored not only the browser user agent, which can be easily spoofed, but also leveraged passive OS fingerprinting to obtain better results.

The SQL injection, brute force and other exploit attempts blocked by Sucuri over a 30-day period had various browser user agents. In 29 percent of cases, the attackers did not set a user agent, while in 16 percent of cases the agent was set to MSIE 6 (Internet Explorer 6), which is often faked by exploit tools. Chrome, GoogleBot and Firefox also made the top 5 – experts believe GoogleBot is likely used because it tricks webmasters into thinking that it’s a legitimate Google request.

WordPress, Java, BingBot, PHP and Perl also made the list, and while each of them account for less than one percent of the total, Sucuri believes they are still worth mentioning.

“Most of these happen when the exploit tool is not modified to change the user-agent or when it is using a specific platform as a middleman (in the case of WordPress). While they account for a small percentage overall, it does show how attackers could use out-of-the-box exploits,” explained Daniel Cid, founder and CTO of Sucuri.

When it comes to operating systems, the user agent showed that 45 percent of attacks came from Windows, five percent from Linux, four percent from Apple devices, while the rest did not specify an OS. However, OS fingerprinting and TCP analysis showed that most of the unidentified operating systems are likely Linux.

Advertisement. Scroll to continue reading.

As for location, more than one-third of the attacks monitored by Sucuri came from the United States, followed by Indonesia, China, Canada, Germany, Ukraine and Russia. Researchers determined that California accounts for 11 percent of attacks.

“So, even though a partial geo-blocking may be effective as a noise reducer, it won’t really stop most attacks, unless you are willing to block the USA,” Cid explained.

Web attack sources

“This data shows us that attacks are very diverse. You can’t just block attackers using one specific bit of data without looking at the complete picture,” the expert added. “Second, user-agents cannot be trusted and can be deceiving. Do not base decisions solely on that data.”

Related Reading: Thousands of CCTV Devices Abused for DDoS Attacks

Related Reading: DDoS Attacks Continue to Rise in Power and Sophistication

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...